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(54) Method for secure session key generation and authentication 



(57) A key estatrfishment protocol includes the gen- 
eration of a value of cryptographic function, typically a 
hash, of a session key and public information. This 
value is transferred between correspondents together 
with the information necessary to generate the session 
key. Provided the session key has not been conpro- 



mised. the value of the cryptographic function will be the 
same at each of the correspondents. The value of the 
cryptographic function cannot be compromised or mod- 
ified without access to the session key 
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Description 

The present invention relates to key agreement pro- 
tocols for transfer and authentication of enayption keys. 

To retain privacy during the exchange of informa- 5 
tion it is well known to encrypt data using a key. The key 
must be chosen so that the con-espondents are able to 
encrypt and decrypt messages but such that an inter- 
ceptor cannot determine the corrtents of the message. 

In a secret key cryptographic protocol, the corre- io 
spondents share a comrnon key that is secret to them. 
This requires the key to be agreed upon between the 
correspondents and for provision to be made to main- 
tain the secrecy of the key arxJ provide for change of the 
key should the underiying security be compromised. is 

Put)lic key cryptographic protocols were first pro- 
posed in 1976 by Oiffie-Hellman and utilized a public 
key made available to all potential correspondents and a 
private key known only to the intended recipient. The 
public and private keys are related such that a message 20 
encrypted with the put)lic key of a recipient can be read- 
ily decrypted with the private key but the private key 
cannot be derived from the knowledge of the plaintext, 
ciphertext and put^lic key. 

Key establishment is the process by which two (or 2S 
more) parties establish a ^ared secret key, called the 
session key The session key is sut>sequerTtiy used to 
achieve some ayptographic goal, such as privacy. 
There are two kinds of key agreement protocol; key 
transport protocols in which a key is created by one so 
party and securely transmitted to the second party: and 
key agreement protocols, in which txsth parties contrib- 
ute information which jointly establish the shared secret 
key The number of message exchanges required 
between the parties is called the number of passes. A 35 
key estat)lishment protocol is saki to provide implicit key 
authentication (or simply k^ authentication) if one p>arty 
is assured that no other party aside from a specially 
identified second party may learn the value of the ses- 
sion key The property of implicit key authentication 40 
does not necessarily mean that the second party actu- 
ally possesses the session key. A key establishment 
protocol is said to provide key confirmation if one party 
is assured that a specially identified second party actu- 
ally has possession of a particular session key If the 45 
authentication is provided to both parties involved in the 
protocol, then the key authentication is said to be mutual 
if provided to only one party, the authentication is said to 
be unilateral. 

There are various prior proposals which claim to so 
provide implicit key authentication. 

Exarrrples include the Nyberg-Rueppel one-pass 
protocol and the Matsumoto-Takashima-lmai (MTI) arxJ 
the Goss and Yacobi two-pass protocols for key agree- 
ment. S5 

The prior proposals ensure that transmissions 
between correspondents to establish a common key are 
secure and that an interloper cannot retrieve the ses- 
sion key arxl decrypt the ciphertext In this way security 



for sensitive transactions such as transfer of funds is 
provided. 

For example, the MTl/AO key agreement protocol 
establishes a shared secret K, krown to the two con-e- 
spondents. in the following manner:- 

1. During initial, one-time setup, key generation and 
puk)lication is undertaken by selecting and publish- 
ing an appropriate system prime p and generator 
ctcZp in a manner guaranteeing authenticity. Corre- 
spondent A selects as a long-temn private key a 
random integer ''aM ^^p-2. and computes a long- 
term public key z A = a ® nrxxJ p . B generates anal- 
ogous keys b. Zq. A and B have access to authenti- 
cated copies of each other's long-term public key. 

2. The protocol requires the exchange of the follow- 
ing messages. 



A-> B: a modp 
A B: nrxxf p 



(1) 
(2) 



The values of x and y remain secure during 
such transmissions as it is impractical to determine 
the exponerrt even when the value of a and the 
exponentiation is known provided of course that p is 
chosen sufficiently large. 

3. To implement the protocol the following steps are 
performed each time a shared key is required. 

(a) A chooses a random integer x.1^xgp-2. 
and sends B message (1) i.e. a'^ mod p. 

(b) B chooses a random integer y,1 ^y ^p-2, and 
sends A message (2) i.e. nrxxi p. 

(c) A computes tiie key K = (a^j^Ze" modp. 

(d) B conrputes the key K = {a^)^z^^ modp. 

(e) Both share the key K - a^^'^l 

In order to compute the key K. A must use his 
secret key a and the random integer x. both of which are 
known only to him. Similarly B must use her secret key 
b and random integer y to compute tiie session key K. 
Provided the secret keys a.b remain uncompromised. 
an interioper cannot generate a session key identical to 
the other correspondent. Accordingly, any ciphertext will 
not be decipherable by fcxjth correspondents. 

As such this and related protocols have been con- 
sidered satisfactory for key establishment and resistant 
to conventional eavesdropping or man-in-the-middle 
attacks. 

In some circumstances it may be advantageous for 
an adversary to mislead one correspondent as to the 
ti-ue identity of the other correspondent. 

In such an attack an active adversary or interloper 
E modifies messages exc^nged between A and B. with 
the result that B believes that he shares a key K with E 
while A believes that she shares the same key K with B. 
Even though E does not learn the value of K the misin- 
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formation as to the identity o1 the correspondents may 
be useful. 

A practical scenario where such an attack may be 
launched successfully is the following. Suppose that B 
Is a bank branch and A is an account holder. Certifi- 
cates are issued by the bank headquarters and within 
the certificate is the account information of the holder. 
Suppose that the protocol tor electronic deposit of funds 
is to exchange a key with a bank branch via a mutually 
authenticated key agreement Once B has authenti- 
cated the transmitting entity, encrypted funds are 
deposited to the account number in the certificate. If no 
further authentication is done in the encrypted deposit 
message (which might be the case to save bandwidth) 
then the deposit will t>e made to E's account. 

It is therefore an object of the present invention to 
provide a protocol in which the above disadvantages 
are obviated or mitigated. 

According therefore to the present invention there is 
provided a method of authenticating a pair of corre- 
spondents A.B to permit exchange of information there- 
between, each of said correspondents having a 
respective private key a.b and a public key Pa.Pb 
derived from a generator a and respective ones of said 
private keys a.b. said method including the steps of 

i) a first of said correspondents A selecting a first 
random integer x and exponentiating a function f(a) 
including said generator to a power g^^^ to provide a 
first exponentiated function f(a)9^*^; 

ii) said first correspondent A forwarding to a second 
correspondent B a message including said first 
exponentiated function 1(a)^^^h 

iii) sakJ conespondent B selecting a second ran- 
dom integer y and exponentiating a function f'(a) 
including said generator to a power g^^^ to provide a 
second exponentiated function f'(a)^^y); 

iv) said second corresporxlent B constructing a 
session key K from information made public by said 
first correspondent A and information tinat is private 
to said second conespondent B. said session key 
also being constructible by said first correspondent 
A for information made putrfic by B arxl information 
that is private to said first correspondent A; 

v) said second correspondent B generating a value 
h of a function F[7c.K] where FI71.K] denotes a cryp- 
tographic function applied conjointiy to n and K and 
where tc is a subset of the public information pro- 
vkled by B thereby to bind the values of n and K; 

vi) said second of said conesporvjerits B forward- 
ing a message to said first correspondent A includ- 
ing said second exponential function V{a)^^^^ arwJ 
said value h of said cryptographic function FIit.K]; 

vii) said first correspondent receiving sakj message 
arxl computing a session key K* from information 
made public by said second correspondent B arKl 
private to said first correspondent A; 

viii) said first correspondent A computing a value h* 
of a cryptographic function h.h* FIit,K]; and 



ix) comparing said values obtained from said cryp- 
tographic functions F to confirm their oonrespond- 
ence. 

5 As the sessfon key K can only be generated using 

infomiation that is private to either A or B, the binding of 
K with It with the ayptographic function h prevents E 
from extracting K or interjecting a new value function 
that will correspond to that obtained by A. 

10 Errbodiments of the invention will now l>e 
descrit>ed by way of exanple only with reference to the 
acconpanying drawings in which. 

Figure 1 is a schematic representation of a data 
communication system. 

IS Referring therefore to Figure 1, a pair of cone- 
spondents. 10.12. denoted as con^espondent A and cor- 
respondent B. exchange information over a 
communication channel 14. A cryptographic unit 16.18 
is interposed between each of the correspondents 

20 10.12 and the channel 14. A key 20 is associated with 
each of the cryptographic units 16,18 to convert plain- 
text carried between each unit 16,18 and its respective 
correspondent 10,12 into ciphertext carried on the 
channel 14. 

25 In operation, a message generated by correspond- 
ent A. 1 0. is encrypted by the unit 1 6 with the key 20 and 
transmitted as ciphertext over channel 14 to the unit 18. 

The key 20 operates upon the ciphertext in the unit 
18 to generate a plaintext message for the correspond- 
30 ent B. 12. Provided the keys 20 con-espond. the mes- 
sage received by the correspondent 12 will be that sent 
by the correspondent 10. 

In order for the system shown in Figure 1 to operate 
rt is necessary for the keys 20 to be identical and there- 
35 fore a key agreement protocol is established that allows 
the transfer of information in a putalic manner to estat>- 
lish the identical keys. A number of protocols are availa- 
ble for such key generation and errtoodiments of the 
present invention will be described betow in the context 
40 of modifications of existing protocols. 

A commonly used set of protocols are collectively 
known as the Matsumoto-Takashima-lmai or "MTr key 
agreement protocols, and are variants of the Diff ie-Hell- 
man key exchange. Their purpose is for parties A and B 
45 to estat>lish a secret session key K. 

The system parameters for these protocols are a 
prime number p and a generator a of the multiplicative 
group Z*p. Correspondent A has private key a and pub- 
lic key p;^ = a^. Conespondent B has private key b 
50 and public key p b = a ^ • slW four protocols exempli- 
fied below, textA refers to a string of information that 
identifies party A. tf the other correspondent B pos- 
sesses an authentic copy of correspondent A's pvAAc 
key. then textA will contain A's public-key certrfk:ate. 
55 issued by a trusted center; correspondent B can use his 
authentic copy of the trusted center's pxMc key to verify 
correspondent A*s certificate, hence obtaining an 
authentic copy of conresporxjent A*s public key 
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In each example below rt is assumed thai an inter- 
loper E wishes to have messages from A identified as 
having originated from E herself. To accomplish this. E 
selects a random integer e. 1se^2. computes 
Pg=(p^)%a^ mod p. and gets this certified as her 
public key. E does not toiow the exponent ae, although 
she knows e. By suljstituting text^ for textA. the corre- 
spondent B will assume that the message originates 
from E rather than A and use E's pUblic key to generate 
the session key K. E also intercepts the message from 
B and uses his secret random integer e to modify its 
contents. A will then use that information to generate 
the same session key allowing A to communicate with 
B. 

The present invention is exemplified by modifica- 
tions to 4 of the family of MTI protocols which foil this 
new attack thereby achieving the desired property of 
mutual implicit authentication. In the modified protocols 
exemplified below F(X, Y) denotes a cryptographic func- 
tion applied to a string derived from x and y Typically 
and as exemplified a hash function, such as the NIST 
"Secure Hash Algorithm"(SHA-1). is applied to the 
string obtained by concatenating X and Y but it v«ll be 
understood that other cryptographic finctions may be 
used. 

Example 1 - MTI/AO protocol 

The existing protocol operates as follows:- 

1 . Correspondent A generates a random integer x. 
1^xsp-2. computes a**, and sends {a'^.textAl to 
party B. 

2. Correspondent B generates a rarKlom integer y. 
1sy£p-2, computes a^, arxj sends {a^texte} to 
party A. 

3. Correspondent A computes 
K = (a'')-(PB)■' = a->'**'^ 

4 Correspondent B computes 

A common key K is thus obtained. However, with 
this arrangement, intertoper E may have messages 
generated by correspondent A identified as having orig- 
inated from E in the following manner. 

1 . E intercepts A's message {a'^.textAl and replaces 
it with {a^.textg). The provision of the message 
textg identifies the message as having originated at 
E. 

2. B sends {ayfexte} to E. who then forwards 
{(a^)® .texts} to A. Since A receives texts, he 
assumes the message originates at 6 arxj, as he 
does not know the value of y. assumes that is 
valid information. 

3. Acomputes K = (a^VCPe)* = a" 

4. B computes K = (a*)VE)^ = 

5. A and B now share the key K, even though B 
believes he shares a key with E. 



Accordingly any further transactions from A to B will 
be considered by B to have originated at E. B will act 
accordingly crediting instruction to E. Even though the 
interloper E does not learn the value of the session key 
5 K nevertheless the assumption that the message origi- 
nates at E may be valuable and achieve the desired 
effect 

To avoid this problem, the protocol is nxxfrfied as 
follows:- 
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1. A generates a random integer x.l^x^2, com- 
putes a*', and sends {a'^.textA) to party B. 

2. B generates a random integer y,isysp-2. arxl 
conputes ay K =(a ") ''(p ^) *'=a ^^"^ . and a value 
h of cryptographic hash function F{ay,a^^*^'') which 
is a function of public information tt arxl the key K. B 
sends {a^, h.texte) to party A. 

3. A confutes K=^{a^)^(Ps)'' ^ o,^^ , A also 
computes a value h* of cryptographic hash function 
F(ay K) and verifies that this value is equal to h. 



If E attempts to interpose her id»Ttification, texte. 
the attack fails on the nxxlified protocols because in 
each case B serrds the hash value F(?t,K). where n is B*s 

25 random exponential, a^. thereby binding together the 
values of n and K. E cannot sut>sequentiy replace the 
value of n with tc® and conrpute F(tc*.K) since E does not 
know K. Even though E knows a^, this is not sufficient to 
extract K from the hash value h. Accordingly, even if E 

30 interposes the value a^® so that the keys 20 will agree, 
the values h.h* will not. 

Example 2 - MTl/BO protocol 
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In this protocol. 

1. A generates a random integer x.1sxsp-2. com- 
putes (P b) = a'''' . and sends {a''^textA} to party 
6. 

2. B generates a random integer y.lsygp-2. com- 
putes (Pa) ^ = . and sends {0*^ texts) to party 

A. 

3. Acomputes K = (a^)*' V=a''*^ 

4. B computes K = (a^)'""'a^=a''*^ 

This protocol is vulnerable to the interloper E if. 

1. E replaces A's nr>essage {a^'^.textAl with 
(a^^^.textEl to identify herself as the originator to the 
message. 

2 B sends {(PE)y.textB} to E. who then computes 
(( P i=) ^) = a*^ and fonwards {a^^ texts! to A. 

3. A computes K = (a a =a 

4. B computes K = (a^)^"''a^=a''*^ 

5. A and B now share the key K, even though B 
believes he shares a key with E. 

This protocol may be nxxfif ied to resist E's attack as 
follows. 
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1. A generates a ranctom integer x,1sx^p-2. com- 
putes (Pb)"" = . and sends {a^'^.textA) to party 
B. 

2. B generates a random integer y 1^y^p-2. and 
computes (p a) ' = a . K = (a ) a =a 
and the value h of hash function F(a*ya**y). B 
sends {a*y h.textg} to A. 

3. A computes K= (a^)^"''a''=a'*^ . A also 
confutes the value h* of hash function F(a*y K) and 
verifies that this value is equal to h. 

Once again. E cannot determine the session key K 
and so cannot generate a new value of the hash func- 
tion to maintain the deception. 



lows 



The interloper E may interpose her identity as fol- 
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Example 3 - MTl/CO protocol 

This protocol operates as follows:- 

1. A generates a random integer xj ^x^p-2. corr>- 20 
putes (p b) = a^* . and sends {a*^*.textA} to party 
B. 

2- B generates a random integer y.1^y^p-2. com- 
putes (p a) ^ = ct^^ . and sends {a^v texts) to party 
A. 25 

3. Acomputes K = (a^^)^""'=a''^ 

4. B computes K = (a^)^""'^=a''^ 



1. E replaces A's message {a*".textA} with 
{a^^textE). 

2. B sends {(PE)y.textB} to E. who then computes 
((P e) ^) = « fonwards {a*y texte) to A. 

3- A confutes K = (a^^j^'^'^a""^ 

4. B computes K = (a^') ^"'^=a''^ 

5. A and B now share the key K, even though B 
believes he shares a key with E. 

To avoid this attack protocol is modified as follows:- 



30 
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1. A generates a random integer x.1 ^xsp-2, com- 
putes (p g) = u'*'' . and sends {a^'^.textA} to party 
B. 

2. B 

computes vhaj 

value h of hash function F{a^\ct^. B sends 
{a^y h.texte} to party A. 

3. A conrputes K = (a^^) ^*^'=a'^ . A also com- so 
putes the value h* of F(a*y K) arKi verifies that this 
value is equal to h. 



generates a rarxlom integer y,1^y^p-2. and 
putes (PA)'' = a^, K=(a^)'^-^^=a^.and 



Example 4 - MTl/Cl protocol 

In this protocol:- 
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1. A generates a random integer x,1sx5p-2. com- 
putes (Pb)" = <i^. sends {a^MextAl to 
party B- 

2. B generates a random integer y.lsysp-2. com- 
putes (pA)''^ = a^^ and sends {a^.textg} to 
party A. 

3. AcomputesK=(a^^)' = a"^. 

4. B computes K = (a ^')^ = a*^- 

E can act as an interloper as follows:- 

1. E replaces A's message {a^'^.textA) with 
{a^^.texte}. 

2. B sends {(pE)^.textB} to E. who then confutes 
((Pc)''^)^^ =a^^ andfonwards{a^.textB}toA. 

3. A computes K = (a ) = <i ^ • 

^ / abx. y abxy 

4. B computes K = (a ) ' = a 

5. A and B now share the key K. even though B 
l)elieves he shares a key with E. 

To avoid this, the protocol is modified as follows:- 

1. A generates a random integer x.1sxsp-2. com- 
putes (PB)" = a^^ sends {a^\textA} to 
party B. 

2. B generates a random integer y.1^y^p-2. and 



computes 



(PA)'*^ = a"^.K = (a"'*)' = a 



and h = F(a^,a^'^- B sends {a^.h.textB) to 
party A. 

3. A conrputes K = (a^^)' = a*^'^. A also com- 
putes h' = F(a^.K) and verifies that this value is 
equal to h. 

In each of the nxxlif ied protocols discussed above, 
key confirmation from B to A is provided. 

As noted above instead of F being a cryptographic 
hash function other functions could be used. For exam- 
ple, an option availat)le is to choose F = c . where c is 
the encryption function of a suitat)le symmetric-key 
encryption scheme, and K is the session key estab- 
lished. Because E cannot generate the session key K. it 
is similarly not able to generate the value of the function 
F and therefore cannot interpose for the corresporxient 
A. 

The technique described above can t>e applied to 
other similar key exchange protocols, including all of the 
3 infinite classes of MTI protocols called f^TI-A(k), MTI- 
B(k) and MTI-C(k). 

The Goss authenticated key exchange protocol is 
similar to the MTI/AO protocol, except that tiie session 
key is the bitwise exclusive-OR of a®y and a'**; that is 
K = a e a''* instead of being the product of a^^ and 
a'''*. Hence the attack on the MTI/AO protocol and its 
nrwdif ication can be extended in a straightforward man- 
ner to the case of the Goss protocol. 

Sinralarly Yacobi's authenticated key exchange pro- 
tocol is exactly the same as the MTI/AO protocol, except 
that a is an element of the group of units iT^ . where n 
is the product of 2 large pximes. Again, the attack on the 



BNSDOCID: <EP 0739106A1 J_> 



9 



EP0739106 A1 



10 



MTI/AO protocol and its modif icatbn can be extended in 
a straightforward manner to the case of the Goss proto- 
col. 

A further way of fofling the interposition of E is to 
require that each entity prove to a trusted center that it s 
knows the exponent of a that produces its public key P. 
before the center issues a certificate for the public key. 
Because E ordy knows "e" and not "ae" it woukJ not 
meet this requirement. This can be achieved through 
zero knowledge technk^ues to protect the secrecy of the 10 
private keys but also requires the availability of a trusted 
centre which may not be convenient. 

Each of the atxive examples has been descrtoed 
with a 2 pass protocol for key authentication. One pass 
protocols also exist to establish a key between corre- is 
spondents and may be similarly vulnerable. 

As an example the Nyberg-Rueppel one pass key 
agreement protocol will be described arxi a mocfification 
proposed. 

The purpose of this protocol is for party A and party 20 
B to agree upon a secret session key K. 

The system parameters for these protocols are a 
prime number p and a generator a of the multiplicative 
group Z*p. User A has private key a and putilic key 
Qa - o.^ User B has private key b and put>lic key 25 
Pb = « 

1 . A selects random integers x and t. 1 ^xt^p-2. 

2. A computes r = (p b) a * mod p and 

s = x - ra mod (p-1 ) . and sends {r.s.textA} to B. 30 

3. B recovers the value a*^ mod p by computing 
a®(PA)^ nxxj p and then conputes the shared ses- 
sion key K^ira")^'^ = a' nxxJ p. 

If interloper E wishes to have messages from A 3S 
identified as having originated from herself, E selects a 
random integer e, 1^esp-2, computes Pg = a® . and 
gets this certified as her pdtAic key. 

1. E intercepts As message {r.s,textA} and com- 40 
putes a = a (p a) and a = ra . 
2- E then selects a random integer x*. 1 ^x'^p-2. 
computes r'= a rrKxJ p and 

s=x*-r*e mod (p-1) . 

3. E sends {r'.s'.texte} to B. « 

4. B recovers the value 

a^' mod p 

so 

by computing a^(pE)^ mod p and then computes 
K = (ra'')^*^=a' mod p. 

5. A and B now share the key K. even though B 
believes he shares a key with E. 

55 

To foil such an attack the protocol ts nxxjified by 
requiring A to also transmit a value h of F(Pa,K), where 
F is a hash function, an enCTyption function of a sym- 



metric-key system vwth key K or other suitable crypto- 
graphic function. The modified protocol is the following. 

1. A selects random Integers x and 1 1 ^x,tsp-2. 

2. A conputes r = (Pg) a''' mod p , 
s = x-ranrxxi (p-1). session key K = a*modp 
and the value h of hash function F{Pa.K). A sends 
{r.s.h.textA) to B. 

3. B recovers the value mod p by computing 
a^(PA)^ mod p and then computes the shared ses- 
sion key K = (ra')^'^ = a' mod p. B also com- 
putes the value h* of function F(pa.K) and verifies 
that this value is equal to h. 

Again therefore by binding together the public infor- 
mation ic and the session key K in the hash function, the 
interposition of E will not result in identical hash func- 
tions h.h'. 

In each case it can be seen that a relatively simple 
modification to the protocols involving the binding of 
public and private information in a cryptographic func- 
tion foils the interposition of interloper E. 

All the protocols discussed above have been 
described in the setting of the multiplicative group Z*p 
However, they can all be easily nrxxJified to wrork in any 
finite group in which the discrete logarithm problem 
appears irrtractable. Suitable choices include the multi- 
plicative group of a finite field (in particular the finite field 
GF(2"), subgroups of Z*p order q, and the group of 
points on an elliptic curve d^ined over a finite field. In 
each case an appropriate generator a will be used to 
define the public keys. 

The protocols cfiscussed atxive can also be modi- 
fied in a straightfonrard way to handle the situation 
when each user picks their own system parameters p 
and a (or analogous parameters if a group other tfian 
Z*p is used). 

Claims 

1 . A method of authenticating a pair of corespond- 
ents A.B to permit exchange of information therebe- 
tween, each of said correspondents having a 
respective private key a.b and a public key Pa.Pb 
derived from a generator a and respective ones of 
said private keys a.b, sakj method including the 
steps of 

i) a first of said correspondents A selecting a 
first random irteger x arxJ exponentiating a 
function f(a) including said generator to a 
power g<*) to provkie a first exponentiated func- 
tion f(a)9(''): 

ii) said first correspondent A forwarding to a 
second correspondent B a message including 
said first exponentiated function f(a)9^*^; 

iii) said con-espondent B selecting a second 
random integer y and exponentiating a function 
f (a) including said generator to a power g^^ to 
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provide a second exponentiated function 
f(a)9^>; 

iv) said second con-espondent B constructing a 
session key K from information made public by 
said first correspondent A and information that 
is private to said secorxJ correspondent B, said 
session key K also k>eing constructible by said 
first correspondent A for information made pub- 
lic by B and information that is private to said 
first correspondent A; 

v) said second conrespondent B generating a 
value h of a function F[7t,K] where F[7cK] 
denotes a cryptographic function applied corv 
joirttly to n and K and where n is a sut>set of the 
public information provided by B thereby to is 
bind the values of n and K; 

vi) said second of said correspondents B for- 
warding a message to said first corresporxfent 
A including said second exponential function 
f (a)9(y) and said value h of said cryptographic 20 
function F[tc,K]; 

vii) said first correspondent receiving said mes- 
sage and computing a session key K from 
information made public by said second corre- 
spondent B and private to said first correspond- 25 
ent A: 

viii) said first correspondent A computing a 
value h' of a cryptographic function F[7i.lC]: and 

ix) comparing said values obtained from said 
cryptographic functions F to confirm their cor- so 
respondence. 

2. A method of daim 1 wherein said message for- 
warded by said first correspondent includes an 
identif icatbn of the first correspondent. 35 

3. A method according to claim 1 wherein said mes- 
sage forwarded by said second correspondent 
includes an identification of said second corre- 
spondent. 

4. A method according to daim 3 wherein said mes- 
sage forwarded by said first correspondent includes 
an identification of the first correspondent. 

45 

5. A method according to claim 1 wherein said first 
function f(a) induding said generator is said gener- 
ator itself. 

6. A method according to daim 1 wherein said second so 
function f (a) induding said generator is said gener- 
ator itself. 

7. A method according to daim 6 wherein said first 
function f(a) induding said generator is said gener- ss 
ator itself. 



8. A method according to daim 1 wherein said first 
function induding said generator f(a) indudes said 
public key Pb of said second correspondent. 

5 9. A method according to daim 1 wherein said second 
function induding said generator fa indudes said 
put)lic key Pa of said first correspondent. 

10- A method according to daim 1 wherein said crypto- 
10 graphic functions F are hashes of n and K. 

A method of transporting a key between a pair of 
correspondents A.B to permit exchange of informa- 
tion therebetween, each of said correspondents 
having a respective private key a,b and a putjiic key 
Pa.Pb derived from a generator a and respective 
ones of sakl private keys a,b. said method induding 
the steps of 

i) a first of said conespondents A selecting a 
first random integer x and exponentiating a 
function f(a) induding sakJ generator to a 
power gt*^ to provide a first exponentiated func- 
tion f(a)9<'^>: 

ii) said first correspondent A forwarding to a 
second conespondent B a nrtessage induding 
said first exponentiated function fCajS^'^h 

iii) said second correspondent B constructing a 
session key K from information made put)lic by 
said first correspondent A and information that 
is private to said second correspondent B, sakl 
session key K also being constructible by said 
first correspondent A from information made 
put>lic by B and information that is private to 
said first correspondent A; 

iv) botii of sakl first correspondent A and said 
second correspondents B computing a respec- 
tive value h.h' of function Fln.K] where F[tt,K] 
denotes a cryptographic function applied to n 
and K and where tc is a subset of the pdb^o 
irrformation provided by one of sakl con-e- 
spondents; 

v) at least one of said correspondents compar- 
ing said values h.h' obtained from said crypto- 
graphic function F to confirm their 
corresporKlence; 

12. A method of claim 11 wherein said message for- 
warded by said first conespondent indudes an 
klerttif ication of the first correspondent 

13. A method according to daim 1 1 wherein sakl mes- 
sage fonwarded by said first conrespondent indudes 
said value otrtained from said cryptographic func- 
tion by said first corresporKlent 

14. A method according to daim 11 wherein said val- 
ues obtained from said cryptographic functions are 
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obtained from a hash of said public information arxJ 
said session key K. 

15. A method accorcfing to claim 11 wherein said first 
correspondent selects a pair of random integers x 
and t and generates a session key K as f(a)9^*\ and 
generates a value r from said first exponentiated 
function f(a)9W which includes a factor exponentiat- 
ing said public key Pb of said second correspondent 
B with said random integer t to l>e of the form 
P3E(t)^g(x), 

16. A method accorcfing to claim 15 wherein said first 
correspondent A generates a value s from a combi- 
nation of said rarKJom integer x arxj said private key 
a arKl fonwards said value of r and said value of s to 
said second correspondent B to permit said second 
con^espondent B to recover said session key K 
using the private key b of said second correspond- 
ent B. 

17. A method according to daim 16 wherein said ran- 
dom integer x and said private key a are combined 
to produce s such that s=x-ra mod (p-l) 

25 

18. A method according to claim 17 wherein said cryp- 
tographic function F is a hash of said public infor- 
mation rc and said session key K. 

1 9. A method according to claim 1 8 wherein said p\M\c so 
information % is the public key Pa of said first corre- 
spondent A. 
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